git.ipfire.org Git - thirdparty/squid.git/commit

author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Thu, 8 Sep 2016 12:27:06 +0000 (00:27 +1200)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Thu, 8 Sep 2016 12:27:06 +0000 (00:27 +1200)
commit	3cdea01c5311c5abbed267eb3274f8b90786c121
tree	5b79d124929cfc2a4087dc3b4ebb66d10e30d169	tree
parent	e571d3e137be237ac2e36152bbc47d651b013b0f	commit \| diff

SSL CN wildcard must only match a single domain component [fragment].

When comparing the requested domain name with a certificate Common Name,
Squid expanded wildcard to cover more than one domain name label (a.k.a
component), violating RFC 2818 requirement[1]. For example, Squid
thought that wrong.host.example.com matched a *.example.com CN.

    [1] "the wildcard character * ... is considered to match any single
    domain name component or component fragment. E.g., *.a.com matches
    foo.a.com but not bar.foo.a.com".

In other contexts (e.g., ACLs), wildcards expand to all components.
matchDomainName() now accepts a mdnRejectSubsubDomains flag that selects
the right behavior for CN match validation.

The old boolean honorWildcards parameter replaced with a flag, for clarity
and consistency sake.

This patch also handles the cases where the host name consists only from dots
(eg malformed Host header or SNI info). The old code has undefined behaniour
in these cases. Moreover it handles the cases a certificate contain zero length
string as CN or alternate name.

This is a Measurement Factory project.

src/URL.h		diff \| blob \| blame \| history
src/acl/ServerName.cc		diff \| blob \| blame \| history
src/ssl/support.cc		diff \| blob \| blame \| history
src/url.cc		diff \| blob \| blame \| history